Sponsors

Business Objects security model

An interesting way to implement Row Level Security

In one of my previous client engagement, I found there are multiple universes are in use Organization wide. Many different types of sensitive data are being restricted at different levels on fact tables or dimension tables or hierarchy tables mainly utilizing the default features of the Universe Access Restrictions. These access restrictions are nothing but primarily a set of hard coded conditions implemented in the form TableName.ColumnName = ‘’ or TableName.ColumnName IN (‘XX, ‘YY’) etc. and applied at CMS User group level.

Foreword: Access restriction – A restriction is a named group of access constraints that apply to a universe. You can apply a restriction to a selected User group or to a User account for any universe. When users connect to a universe, the connection, objects, rows, query types & etc. that they use in the universe are determined by their applied restriction.

For example, if you click on “create, modify or delete, or apply access restriction” button OR alternatively navigate using Tools -> Manage Security -> ‘Manage Access Restrictions…’, you can observe what are the different restrictions that are already applied to a universe.

These instructions are not my primary intention to discuss here. My true intention is to discuss on how we can dynamically handle ‘changed conditions’ in the access restriction without altering the associated universe.

The requirement is to design a scalable model for ‘Business Objects Security Table Implementation’ which will facilitate row level security wherein the Client can update any data as per the changed requirements of Business functions and those changes will automatically propagate to universes and restrict data accordingly.

For example, the present condition in universe access restriction “BG_ACCESS_RESTRICTION” is WHERE DW_BOOKING.DW_BOOKING_FACT.ORDER_TYPE =’XXXXXX’ applied to CMS User group “Sales DB – APAC ENT”. So the corresponding universe will have something like this:

And the corresponding access restriction is like this:

Now please come back to our original problem – Build a Security Model which will dynamically update the hardcoded value in access restriction.